diff --git a/src/content/docs/waf/managed-rules/troubleshooting.mdx b/src/content/docs/waf/managed-rules/troubleshooting.mdx index 852602733d3..5c76c46de5c 100644 --- a/src/content/docs/waf/managed-rules/troubleshooting.mdx +++ b/src/content/docs/waf/managed-rules/troubleshooting.mdx @@ -22,6 +22,8 @@ By default, WAF's managed rulesets are compatible with most websites and web app You can use [Security Events](/waf/analytics/security-events/) to help you identify what caused legitimate requests to get blocked. Add filters and adjust the report duration as needed. +To get more detail about which part of a request matched a managed rule, enable [payload logging](/waf/managed-rules/payload-logging/) for the affected managed ruleset. Payload logging records the specific string that triggered each rule (encrypted with a key pair that you provide), which helps you confirm whether a match was a false positive. If you have not set it up yet, [configure payload logging](/waf/managed-rules/payload-logging/configure/) so that the matched payload is available the next time you investigate a false positive. Payload logging is available on Enterprise plans. + If you encounter a false positive caused by a managed rule, do one of the following: - **Add an exception**: [Exceptions](/waf/managed-rules/waf-exceptions/) allow you to skip the execution of WAF managed rulesets or some of their rules for certain requests. @@ -42,6 +44,8 @@ If you contact Cloudflare Support to verify whether a WAF managed rule triggers `http.host eq "example.com" and starts_with(http.request.uri.path, "/admin")` +- WAF managed rulesets are designed to inspect standard HTTP request content. Requests that upload binary content (for example, file uploads) can resemble attack payloads and cause false positives. To scan file uploads for malicious content, use [Malicious uploads detection](/waf/detections/malicious-uploads/) instead of relying on managed rules for that traffic. + ## Troubleshoot false negatives To identify false negatives, review the HTTP logs on your origin server.